VeriSign Attackers Swiped Data from Servers, Management Left in the Dark

VeriSign has admitted to falling victim to several attacks in 2010 that resulted in information being swiped from their servers.

The revelations came courtesy of the company’s quarterly U.S. Securities and Exchange Commission (SEC) filing from October 2011. Just what information was accessed and how the attacks took place were not revealed in the document, and VeriSign has not responded to a request for comment. But the admission, which was first reported by Reuters, has some questioning why the company did not disclose the attacks when they occurred.

“It’s not fair to sit on this information and not disclose the details to their customers and the public,” opined Gartner analyst Avivah Litan.

According to the SEC filing, the attacks were “not sufficiently reported to the Company’s management at the time they occurred,” leaving management in the dark about the situation until September 2011. After management was informed, the company has instituted better reporting and disclosure requirements for such incidents, according to the company.

The SEC document states that the attacks against VeriSign’s corporate network enabled attackers to access information “on a small portion” of the company’s computers and servers.

“We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network,” the document continues. “Information stored on the compromised corporate systems was exfiltrated.

The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information.” The company said it was unaware of the stolen data being used, but added that it could not be sure if it had been.

In an interview with Reuters, former VeriSign Chief Technology Officer Ken Silva speculated that given both the time elapsed since the attacks and the vague language in the SEC filing, the company “probably can't draw an accurate assessment" of the damage.

Even if its DNS network was unaffected, VeriSign has a number of other services that might be attractive targets for attackers – including its iDefense Security Intelligence Services and offerings for fighting distributed denial-of-service attacks. As for the SSL (secure sockets layer) business purchased from VeriSign by Symantec in 2010, officials at Symantec say their products are unaffected.

“Symantec takes the security and proper functionality of its solutions very seriously,” spokesperson Nicole Kenyon told SecurityWeek. “The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.”

Litan speculated that the attacks may have been part of the larger cyber-assault attributed to the people behind the attack on EMC’s RSA security division disclosed last March. Though RSA was the only company to talk about the attack publicly, some 760 other companies are suspected to have been hit - with the first victims communicating with the attacker’s control networks in November 2010.

“This was probably part of that crime wave against security companies,” Litan said. “We don’t necessarily know if all the hacks were perpetrated by the same bad actors, but it would appear to be the case.”

“If we learned one thing from 2011, it is that we must understand that all organizations (government and private sector) are at risk for compromise by determined adversaries,” said Anup Ghosh, chief scientist at Invincea. “The adversarial picture relevant to most government and private organizations now includes three primary groups – nation states, organized cyber-crime and hacktivists. This problem is everyone's and no one is immune…Unfortunately, you can't recover the crown jewels after they have been stolen as RSA discovered, nor can you undo the brand damage from cyber forensics.”

"What’s scary of this revelation is that not only was VeriSign repeatedly breached, but that the whole process broke down," said Mandeep Khera, CMO at LogLogic. "Senior management wasn’t notified for a long time and the breach wasn’t disclosed publicly. What’s also interesting is that breach notification regulations are bypassed in these cases, because senior management weren’t in the loop.”